deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 20:03:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update system-guard-secure-launch-and-smm-protection.md

Browse Source 
Clarified that some Intel fTPMs (technically "integrated" TPMs) are now supported.

Intel has had an integrated hardware TPM in its CPUs for a while.  It is not usually enabled on.  They call it Platform Trust Technology or PTT, and it meets the TPM 2.0 spec.  OEMs can use this PTT instead of a discrete TPM.  The Core i5-10310U is one of these Comet Lake chips with PTT.
This commit is contained in:
Brent Kendall
2021-06-30 10:21:55 -07:00
committed by GitHub
parent 211d47f62c
commit 16c3429dde
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
View File

@ -74,7 +74,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description|
|--------|-----------|
|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported.|
|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported, with the exception of Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData ,EfiRuntimeServicesCode , EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (e.g. no OS/VMM owned memory). <br/>Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. <br/>Must NOT have execute and write permissions for the same page <br/>Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType. <br/>BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
@ -94,4 +94,4 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
> [!NOTE]
> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).